Day 23

Set Up a PGP Private / Public Key Pair

DAY 23: Set Up a PGP Private / Public Key Pair

Welcome to Day 23 of my 30 day security challenge, the month long challenge I created to help you gain control of your privacy and security online. You can follow along with the security challenge via my blog at snubsie.com, where you can skip ahead or download a checklist of the challenge. Each video will also be curated into a playlist so it'll be easy to follow along from Day 1 all the way through 30 here on Youtube.

Today I'll show you the easiest way I've found to set up PGP encrypted emails.

What is PGP encryption? It stands for Pretty Good Privacy, and it's a way of encrypting and decrypting email. Setting up PGP for your email account gives you a public key that you can send to anyone and anyone can know, plus a private key that only you know. Those keys are tied to each other. When someone sends you a private message, they encrypt it with your public key, then only YOU can decrypt it using the matching private key. Same vice versa when you send someone else an encrypted message. Encrypted PGP messages look like this: [[show pic]], but once you decrypt them, they just look like simple human spoken words or plain text.

Why do we use PGP if we already have 2FA, good passwords, and built in encryption between users of email? Well, some email providers may read your emails and send you targeted advertisements, and some malware could also read your emails and send data to attackers. Adding PGP encryption adds an additional layer of security to your email.

Do you need it for every day emails? No, not really. But if you or a family member constantly sends sensitive information over email, you may want to consider setting up PGP on their accounts as well as yours.

So today I'll show you the legit easiest way I've found to set up PGP for an email account without even needing to generate an encryption key for yourself because a website will do all the hard work for you. The site I used is called Keybase.io and has both an app for computers and smartphones, plus a web interface, plus a command line tool. The app is fairly new but works great for iOS and Android and it's all free. Keybase is also open source which means anyone with the know how can look at the code behind the pretty interface and make sure it doesn't have any suspicious backdoors or malware.

So go on over to keybase.io and create a new account and tie it to your email address. Keybase will do the legwork for you by creating a PGP key pair from your profile. It takes a bit of time to generate one but once it's finished it'll alert you. Then you can verify your identity with social networks. So, for example, if you have a twitter account set up you can tweet something specific from Keybase and that'll tell Keybase that you own both the Twitter account and your Keybase profile. Then you can send your new Keybase profile to your friends so they can follow you on Keybase. For example, I've already set up my Keybase account and tied my twitter to it by tweeting out this message. That tells anyone else who is following me on Keybase that I am who I say I am.

So once you get your profile set up you go on over to other folks profiles and start following them and encrypting messages to each other. So to send a message to someone, I can click on their profile, confirm it's actually them by checking the links to their other accounts, then I can click PGP Encrypt. In the big box, I type up my message to my friend, sign it with my Keybase identity, and encrypt it. I'll receive all this garbled text, but this doesn't actually send it to the friend. I copy and paste this garbled text into my email, then type in his email address and hit send. He'll receive this garbled text.

He copies the text, goes over to Keybase and clicks Decrypt. He will paste that text into the Message to Decrypt box, put in his passphrase, hit decrypt, then tada! The real human readable text shows up on his computer. He's the only one that can unlock that garbled text.

This isn't perfect - it takes a while to jump from Keybase, into email, then back to Keybase to encrypt and decrypt messages since Keybase doesn't actually send the message for you - it just helps you encrypt your messages. And it's way easier to use if your friend already has a Keybase account set up too so you can easily search for their public profile on there (in other words, their public key is stored with Keybase so Keybase can encrypt it for you automagically).

But this is why Keybase also offers an app for Windows, Linux, Mac, Android, iOS, and Chrome / Firefox. The app is downloaded, you login, you verify your device and then you can chat or message other people within the keybase community - so not only does the encryption and decryption happen but also the sending and receiving - so you really don't even need to mess with the whole PGP part. It makes everything way easier.

Pro Tip: If you are an advanced user, I would recommend setting up Keybase in the command line as that is much more secure than using the web based app. Since this is not as consumer friendly, I'm recommending the easier web interface in this security challenge, since it's more convenient for users. Of course I coulda started with talking about the downloadable apps, but understanding what's going on on the backend with PGP is important, and that's what I wanted to explain today.

Day 23 is now complete! Tomorrow is all about how to spot fake emails and fake facebook pages. But first, make sure to subscribe on youtube and hit up snubsie.com for the downloadable checklist and to skip ahead on the 30 day security challenge. Again, I'm Shannon Morse and I'll see you tomorrow for day 24!